Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 12:15:07 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: PDF format incompatibility (jumbo-7 vs. jumbo-8)

I prepared 2 test files, obne freom the jumbo-7 pdf tst cases, one from
the jumbo-8 test cases (both attached).

I also built a john binary based on the jumbo-7 version (john-j7) and
one based on latest git (john-j8).

Tests start with an empty john.pot.

$ ./john-j7 pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 RC4 [32/64])
WHATwhatWHERE?   (WHATwhatWHERE?)
July2099         (July2099)
38r285a9         (38r285a9)
test             (test)
guesses: 4  time: 0:00:00:00 DONE (Thu Jan 24 11:57:46 2013)  c/s: 21.05
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ ./john-j8 -show pdf-test7
test:test
July2099:July2099
WHATwhatWHERE?:WHATwhatWHERE?
38r285a9:38r285a9

4 password hashes cracked, 0 left

$ ./john-j8 --format=pdf -show pdf-test7
test:test
July2099:July2099
WHATwhatWHERE?:WHATwhatWHERE?
38r285a9:38r285a9

4 password hashes cracked, 0 left

$ ./john-j8 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
No password hashes left to crack (see FAQ)


$ rm john.pot
$ ./john-j8 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
guesses: 0  time: 0:00:00:00 21.44% (1) (ETA: Thu Jan 24 12:00:38 2013)
 c/s: 1626  trying: 38R285A97
guesses: 0  time: 0:00:00:01 54.25% (1) (ETA: Thu Jan 24 12:00:39 2013)
 c/s: 1815  trying: 38r285a993
guesses: 0  time: 0:00:00:03 74.30% (1) (ETA: Thu Jan 24 12:00:41 2013)
 c/s: 1818  trying: 38r285a941
guesses: 0  time: 0:00:00:04 98.33% (1) (ETA: Thu Jan 24 12:00:41 2013)
 c/s: 1877  trying: 38r285a91918
guesses: 0  time: 0:00:00:05 0.10% (2) (ETA: Thu Jan 24 13:23:58 2013)
c/s: 1426  trying: stephen
guesses: 0  time: 0:00:00:07 0.16% (2) (ETA: Thu Jan 24 13:13:32 2013)
c/s: 1296  trying: flamingo
guesses: 0  time: 0:00:00:08 0.22% (2) (ETA: Thu Jan 24 13:01:13 2013)
c/s: 1200  trying: boston
guesses: 0  time: 0:00:00:09 0.29% (2) (ETA: Thu Jan 24 12:52:20 2013)
c/s: 1125  trying: moroni
guesses: 0  time: 0:00:00:09 0.35% (2) (ETA: Thu Jan 24 12:43:29 2013)
c/s: 1066  trying: anita
guesses: 0  time: 0:00:00:13 0.58% (2) (ETA: Thu Jan 24 12:37:59 2013)
c/s: 897  trying: andrew1
Session aborted

Apparently, pfd format considered these hashes as valid, but missed to
crack them using single mode.

Now, let's use jumbo-7 again to insert these into the pot file:

$ ./john-j7 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 RC4 [32/64])
WHATwhatWHERE?   (WHATwhatWHERE?)
July2099         (July2099)
38r285a9         (38r285a9)
test             (test)
guesses: 4  time: 0:00:00:00 DONE (Thu Jan 24 12:02:16 2013)  c/s: 20.00
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ ./john-j8 --show pdf-test8
0 password hashes cracked, 5 left
$ ./john-j8 pdf-test8
Loaded 5 password hashes with 5 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
openwall         (openwall)
testpassword     (testpassword)
openwall         (openwall)
testpassword     (testpassword)
test             (test)
guesses: 5  time: 0:00:00:00 DONE (Thu Jan 24 12:04:05 2013)  c/s: 22.72
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ grep 289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f
john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test

$ grep 34b1b6e593787af681a9b63fa8bf563b john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test

$ grep badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f
john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test


Jumbo-8 doesn't recognize the hashes which were stored in john.pot by
jumbo-7.
IMHO, jumbo-8 needs a prepare() function which converts the
$pdf$Standard* hashes into the format expected by the jumbo-8 valid().

Furthermore, the jumbo-8 valid() needs to be improved.
I.e., without a prepare() which converts the jumbo-7 hashes, the jumbo-8
version should have rejected them as invalid.
(After s/:$pdf$Standard/:$pdf$St/, jumbo-8 still treats the hashes as
valid, but it shouldn't.)

Frank

View attachment "pdf-test7" of type "text/plain" (851 bytes)

View attachment "pdf-test8" of type "text/plain" (2047 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ